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Axiomatic set theory is almost universally accepted as the basic theory which provides the founda- 
tions of mathematics, and in which the whole of present day mathematics can be developed. As 
such, it is the most natural framework for Mathematical Knowledge Management. However, in or- 
der to be used for this task it is necessary to overcome serious gaps that exist between the "official" 
formulations of set theory (as given e.g. by formal set theory ZF) and actual mathematical practice. 
In this work we present a new unified framework for formalizations of axiomatic set theories of 
different strength, from rudimentary set theory to full ZF . It allows the use of set terms, but provides 
a static check of their validity. Like the inconsistent "ideal calculus" for set theory, it is essentially 
based on just two set-theoretical principles: extensionality and comprehension (to which we add G- 
induction and optionally the axiom of choice). Comprehension is formulated as: x 6 {x | <p} o <p, 
where {x | <p} is a legal set term of the theory. In order for {x | q>} to be legal, <p should be safe with 
respect to {x}, where safety is a relation between formulas and finite sets of variables. The various 
systems we consider differ from each other mainly with respect to the safety relations they employ. 
These relations are all defined purely syntactically (using an induction on the logical structure of 
formulas). The basic one is based on the safety relation which implicitly underlies commercial query 
languages for relational database systems (like SQL). 



1 Introduction 

Axiomatic set theory is almost universally accepted as the basic theory which provides the foundations 
of mathematics, and in which the whole of present day mathematics can (and many say: should) be 
developed. As such, it is the most natural framework for MKM (Mathematical Knowledge Management). 
Moreover: as is emphasized and demonstrated in [8 1, set theory has not only a great pragmatic advantage 
as a basic language for mathematical discourse, but it also has a great computational potential as a basis 
for specification languages, declarative programming, and proof verifiers. However, in order to be used 
for any of these tasks it is necessary to overcome the following serious gaps that exist between the 
"official" formulations of set theory (as given e.g. by Zermelo Frankel Set Theory ZF; see e.g. 0). and 
actual mathematical practice: 

• ZF treats all the mathematical objects on a par, and so hid the computational significance of many 
of them. Thus although certain functions are first-class citizens in many programming languages, 
in set theory they are just "infinite sets", and ZF in its usual presentation is an extremely poor 
framework for computing with such sets (or handling them in a constructive way). 

• Full ZF is far too strong for core mathematics, which practically deals only with a small fraction of 
the set-theoretical "universe". It is obvious that much weaker systems, corresponding to universes 
which are smaller, more effective, and better suited for computations , would do (presumably, such 
weaker systems will also be easier to mechanize). 
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4 A Logical Framework for Set Theories 

The goal of this paper is to present a unified, user-friendly framework (originally developed in 0) 
for formalizations of axiomatic set theories of different strength, from rudimentary set theory to full ZF. 
Our framework makes it possible to employ in a natural way all the usual set notations and constructs as 
found in textbooks on naive or axiomatic set theory (and only such notations). Another important feature 
of this framework is that its set of closed terms suffices for denoting every concrete set (including infinite 
ones!) that might be needed in applications, as well as for computations with sets. 

Perhaps the most important problem which is solved in our framework is that official formalizations 
of axiomatic set theories in almost all textbooks are based on some standard first-order languages. In 
such languages terms are variables, constants, and sometimes function applications (like xdy). What is 
not available in the official languages of these formalizations is the use of set terms of the form ({x | <p}). 
As a result, already the formulation of the axioms is quite cumbersome, and even the formalization of 
elementary proofs becomes something practically incomprehensible. In contrast, all modern texts in 
all areas of mathematics (including set theory itself) use such terms extensively. For the purpose of 
mechanizing real mathematical practice and for automated or interactive theorem proving, it is therefore 
important to have formalizations of ZF and related systems which allow the use of such terms. Now, set 
terms are used in all textbooks on first-order set theories, as well as in several computerized systems. 
However, whenever they are intended to denote sets (rather than classes) they are introduced (at least 
partially) in a dynamic way, based for example on the "extension by definitions" procedure (see |[T6l . 
Sect. 4.6): In order to be able to introduce some set term for a set (as well as a new operation on sets) it is 
necessary first to justify this introduction by proving a corresponding existence theorem. The very useful 
complete separation we have in first-order logic between the (easy) check whether a given expression is a 
well-formed term or formula, and the (difficult) check whether it is a theorem, is thus lost. By analogy to 
programs: texts in such dynamic languages can only be "interpreted", but not "compiled". In contrast, a 
crucial feature of our framework is that although it makes extensive use of set terms, the languages used 
in it are all static: the task of verifying that a given term or formula is well-formed is decidable, easily 
mechanizable, and completely separated from any task connected with proving theorems (like finding 
proofs or checking validity of given ones). Expanding the language is allowed only through explicit 
definitions (i.e. new valid expressions of an extended language will just be abbreviations for expressions 
in the original language). This feature has the same obvious advantages that static type-checking has 
over dynamic type-checking. 

Two other important features of the framework we propose are : 

• It provides a unified treatment of two important subjects of set theory: axiomatization and ab- 
soluteness (the latter is a crucial issue in independence proofs and in the study of models of set 
theories - see e.g. |[T3l ). In the usual approaches these subjects are completely separated. Abso- 
luteness is investigated mainly from a syntactic point of view, axiomatizations - from a semantic 
one. Here both are given the same syntactic treatment. In fact, the basis of the framework is its 
formulation of rudimentary set theory, in which only terms for absolute sets are allowed. The other 
set theories are obtained from it by small changes in the syntactic definitions. 

• Most of our systems (including the one which is equivalent to ZF) have the remarkable property 
that every set or function that is implicitly definable in them already has a term in the corre- 
sponding language which denotes it. More precisely: if (p(x,yi,...,y n ) is a formula such that 
Vyi,...,y„3\x(p is provable, then there is a term t(yi,... ,y n ) such that (p(yi, . . . ,y n ,t(y\, . . . ,y n )) is 
provable. Hence, there is no need at all for the procedure of extension by definitions (and intro- 
duction of new symbols is completely reduced to using abbreviations). 
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2 The Major Ideas 

Our basic assumption is that the sets which are interesting from a computational point of view are those 
which can be defined in the form {x | <p} using a formula q> in some, intuitively meaningful, formal 
language. Of course, the paradoxes of naive set theory have shown that not every formula of such a 
language can be used for defining sets. Accordingly, the crucial question is: what formulas are "safe" for 
this task, and more generally: what formulas can be taken as defining a construction of a set from given 
objects (including other sets)? Various set theories provide different answers to this question. These 
answers are usually guided by semantic intuitions (like the limitation of size doctrine Q). Since here 
we aim at a computerized system, we shall translate the various semantic principles into syntactic (and 
in our opinion, less ad-hoc) constraints on the logical form of formulas. For this, we combine ideas from 
three seemingly very different sources: 

Set Theory Godel's classical work [1 1 j on the constructible universe L is best known for its use in con- 
sistency and independence proofs. However, it is of course of great interest also for the study 
of the general notion of constructions with sets. Thus for characterizing the "constructible sets" 
Godel identified a set of operations on sets (which we may call "computable"), that can be used for 
"effectively" constructing new sets from given ones. For example, binary union and intersection 
are "effective", while the powerset operation is not. Godel has provided a finite list of basic oper- 
ations, from which all other "effective" (for his purposes) constructions can be obtained through 
compositions. Another very important idea which was introduced in ifTTIl is absoluteness — a 
key property (see 021) of formulas which are used for defining "constructible sets". Roughly, a 
formula is absolute if its truth value in a transitive class M, for some assignment v of objects from 
M to its free variables, depends only on v, but not on M. 

Formal arithmetic Absoluteness is not a decidable property. Therefore a certain set Ao of absolute for- 
mulas is extensively used in set theory as a syntactically defined approximation. Now a similar set 
Ao of formulas (also called in [ 17"] "bounded formulas" or "Zo-formulas") which has exactly the 
same definition (except that € is replaced by <) is used in formal arithmetic in order to character- 
ize the decidable and the semi-decidable (r.e.) relations on the natural numbers. This fact hints at 
an intimate connection (investigated in [4]) between absoluteness/constructibility and decidabil- 
ity/computability. 

Relational database theory: The importance of computations with sets to this area is obvious: to pro- 
vide an answer to a query in a relational database, a computation should be made in which the 
input is a finite set of finite sets of tuples (the "tables" of the database), and the output should also 
be a finite set of tuples. In other words: the computation is done with (finite) sets. Accordingly, for 
effective computations with finite relations some finite set of basic operations has been identified 
in database theory, and this basic set defines (via composition) what is called there "the relational 
algebra" ([1 , 18]). Interestingly, there is a lot of similarity between the list of operations used in 
the relational algebra and Godel's list of basic operations mentioned above. However, much more 
important is again the strong connection (observed in (0 SI) between the notion of absoluteness 
used in set theory, and the notion of domain independence (HI COO) used in database theory, and 
practically serving as its counterpart of the notion of computability. A query in a database can be 
construe as a formula q> in the language of set theory, augmented with constants for the relations 
in the database. The answer to such query is the set of all ^-tuples that satisfy q>, given the inter- 
pretations provided by the database for the extra constants (here n is the number of free variables 
in (p. If n = then the answer to the query is either "yes" or "no"). A domain-independent (d.i.) 
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query is a query the answer to which depends only on the information included in the database, 
and on the objects which are mentioned in the query. Only such queries are considered meaning- 
ful. Moreover: the answer to such queries is always finite and computable. Therefore practical 
database query languages (like SQL) are designed so that only d.i. queries can be formulated in 
them, and each such queiy language is based on some syntactic criteria that ensure this property. 
In order to give these criteria a concise logical characterization, and in order to unify the notions 
of absoluteness and domain-independence, the formula property of d.i. was turned in [3, 4] into 
a safety relation y between a formula cp and finite subsets of Fv(q>). The intuitive meaning of 
"<p(xi,... ,x n ,yi,...,yk) >- {xi,... ,x n }" in databases is: "<p(xi,...,x n ,^i,...,<4) is d.i. for all val- 
ues d\ , . . . , dk". In particular, <p >- if <p is absolute in the sense of axiomatic set theory. 

In view of the connections between "absolute" and "decidable" and between "domain-independent" 
and "computable", (or "constructible"), in the realm of sets we shall intuitively take the meaning of 
"<p(xi,. . . ,x n ,yi,.. . ,yk) y {x\,... ,x n }" to be: "The collection {(jci, . .. ,x n ) \ cp} is an acceptable set for 
all acceptable values of yi, . . . ,%> and it can be constructed from these values". The differences between 
the strength of systems is intuitively due to different interpretations of the vague notions of "acceptable" 
and "can be constructed". At least in the basic systems, but also in some of the less basic ones, a crucial 
part of the meaning of both concepts is the demand that {(xi, .. . ,x n ) \ (p} is "domain independent" in 
a sense close to that used in database theory, i.e.: that (p determines this collection in an absolute way, 
independent of the extension of the "surrounding universe" V. In particular: cp y implies in such set 
theories that <p is absolute (in the set-theoretical sense mentioned above). 

3 A Description of the General Framework 

3.1 Languages 

In our framework a language L for a set theory S should be based on some first-order signature a which 
includes the binary predicate symbols G and =. Moreover: it should be introduced using a simultaneous 
recursive definition of the following three components: its set of terms, its set of formulas, and the safety 
relation y that it uses between formulas and finite sets of variables. The recursive definition of these 
components includes at least the following conditions: 

Terms: 

• Every variable and every constant of a is a term. 

• If /is an n-ary function symbol of a, and ti,...,t n are terms, then /(?i,. . .,t n ) is a term. 

• If x is a variable, and (p is a formula such that (p y {x}, then {x \ q>} is a term. 

Formulas: 

• If P is an «-ary predicate symbol of a, and t\ , . . . , t n are terms, then P{t\ , . . . ,t n ) is an atomic 
formula. 

• If cp and y w& formulas, and x is a variable, then -i<p, (cp A \p~), (cp V y/), and 3x(p are formulas. 
In an intuitionistic system so are also (<p — > y) and Mx(p (but in the classical case — > and V 
are better taken as defined in terms of ->, A, and 3). 

• An optional construct which may be useful in our framework and is not available in first-order 
languages is the transitive closure operation TC. If it is included, then {TC x ^(p){t,s) is a 
formula whenever cp is a formula, x, y are distinct variables, and t,s are terms. In this formula 
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all occurrences of x and y in cp are bound. The intended meaning of (TC X y<p)(t,s) is the 
"disjunction": (p{s/x, t/y} V 3wi (<p{s/x, w\ /y}) A <p{w\ /x,t/y}) V 3w\ 3w 2 {(p{s/x, w\ /y} A 
(p{w\/x,W2/y} A <p{w>2/x, ?/)>}) V . . . (where wi,W2,- . . , are all new variables)). 

Safety Relation: 

(p y if (p is atomic. 

<p >- {x} if (p G {x = ?,? = x,x Gx,x G ?}, andx ^Fv{t). 

-i<p >- if <p >- 0. 

(pVi//^Xif<p^X and i/a >- X. 

<pAi//-^XUFif<p^X, l//-^ Fand7nFv(<p) =0, orXnFv(y/) =0. 

3j<p >- X - {y} if j G X and <p >- X. 

Vx(<p ->■ y/-) >- if <p >- {x} and y y C0 

If TC is included in the language then (TC XJ (p)(x,y) yXif (p>-X, and {x, j} RX / 0. 

Notes: 

1. The clauses concerning >- form a generalization (and simplification) of the definition of "syn- 
tactically safe" formulas from |fT8l (see J3] @] |6]). The passage from the property of domain 
independence to the safety relation is mainly needed for an appropriate handling of conjunction. 

2. Recalling the intended intuitive meaning(s) of our safety relations, is not difficult to see that any 
safety relation >- should satisfy the conditions listed above. As an example, we explain the most 
complicated of them: the one connected with A. Assume for simplicity that 6 = cp A y/\ where 
Fv(q>) = {x,z},Fv(\j/) = {x,y,z,},(p >- {x}, and y/ y {y}. Given some "acceptable" set c, we 
should show that the collection E(c) of all (x,y) such that 6(x,y,c) should also be taken as "ac- 
ceptable". Now the assumption that <p y {x} implies that the collection Z{c) of all x such that 
<p(x,c) is "acceptable". In turn, the the assumption that y y {y} implies that for every d in this 
set, the collection W(c,d) of all y such that \j/(d,y,c) is "acceptable" . Since E(c) is the union for 
d G Z(c) of the sets {d} x W(c,d), it is constructible from "acceptable" sets using Godel's basic 
operations mentioned above, and so it too should intuitively be "acceptable" in any reasonable set 
theory. What is more, if Z(c) is "constructible" from c (in an absolute way), and W (c, d) is "con- 
structible" from c and d (in an absolute way), then this argument shows that E(c) is "constructible" 
from c (in an absolute way) as well. 

3. The recursive definition of y should ensure that y has the following properties: 

• If <p^XthenXC J Fv(<p). 

• If (p y X and Z C X, then <p y Z. 

• If (p y {xi, . . . ,x„}, vi, . ..v„ are n distinct variables not occurring in cp, and cp' is obtained 
from cp by replacing all occurrences of X; by v, (i = 1 , . . . , n), then <p' >- {vi , . . . , v„} 

It is easy to verify that all the safety relations used in the examples below have these properties, 
and so there is no need to add corresponding clauses to their definitions (but this might not be the 
case in general). 



In the classical case this condition is derivable from the others. 
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3.2 Logics 



Our framework allows the use of any logic that is based one of the two languages it employs (with 
classical and intuitionistic logics as the natural choices). One should note however the following points: 

1. Our languages provide much richer classes of terms than those allowed in orthodox first-order 
systems. In particular: a variable can be bound in them within a term. The notion of a term being 
free for substitution is generalized accordingly (also for substitutions within terms!). As usual this 
amounts to avoiding the capture of free variables within the scope of an operator which binds them. 
Otherwise the rules/axioms concerning the quantifiers and terms remain unchanged (for example: 
<p[xi->- 1] —$■ 3x(p is valid for every term t which is free for x in (p). 

2. The rule of a-conversion (change of bound variables) should be available in the logic. 

3. The substitution of equals for equals should be allowed within any context (under the usual con- 
ditions concerning bound variables). The same should apply for the substitution of a formula for 
an equivalent formula in any context in which the substitution makes sense. In particular, the 
following schema should be valid whenever {x \ (p} and {x \ y} are legal terms: 

\/x((p «-> y/) ->• {x j <p} = {x | i//-} 

4. The set of valid formulas of first-order languages enriched with the TC operator is not even arith- 
metical. Hence no sound and complete formal system for it is possible. It follows that only 
appropriate formal approximations of the intended underlying logic may be used in practice. The 
best known approximation is the one given in lfl4Tl . using a Hilbert-type system. An equivalent 
Gentzen-type formulation {with cuts) has been given in [2]. In that system mathematical induction 
is presented as the following logical rule: 

r,y,(p^A,y{x^y} 



T, y[x h> s],(TC Xt y<p)(s,t) => A, \j/[x i-» t] 
where x and y are not free in T, A, and y is not free in \j/. 

3.3 Axioms 

The main part of all systems in our framework consists of the following axioms and axiom schemes 
(our version of the "ideal calculus" [7], augmented with the assumption that we are dealing with the 
cumulative universe): 

Extensionality: 

• Vy(y = {x | x £ y}) 
Comprehension Schema: 

• \/x(x G {x | <p} <H> <p) 

The Regularity Schema (€ -induction): 

• (Vx(Vy(.y € x ->■ cp[x i-> y]) -> <p)) ->■ Vxcp 
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Notes: 



1. Thus the main parts of the various set theories we consider differ only with respect to the power of 
their comprehension scheme. This, in turn, depends only on the safety relation used by each. 

2. It is easy to see (see [3]) that our assumptions concerning the underlying logic and the comprehen- 
sion schema together imply that the above formulation of the extensionality axiom is equivalent to 
the more usual one: Vz(z GiOzG}')^i = }'. 

3. The first two axioms immediately entail the following two principles (where t is an arbitrary term): 

• {x | x G t} = t (provided x Fv(t )) 

• t € {x | <p} o (p[x i-> t] (provided t is free for x in <p) 

These principles are counterparts of the reduction rules (t]) and (j3) (respectively) from the A- 
calculus. Like their counterparts, they are designed to be used as simplification rules (at least in 
the solution of elementary problems). 

4 The Most Basic System 

Our most basic system is the one which corresponds to the minimal safety relation (in a language without 
TC). For the reader convenience, we explicitly present the definition of this relation: 

Definition 1 The relation >-rst is inductively defined as follows: 

1- <P>-rst® if ty is atomic. 

2- <p >-rst {■*} if<P € {x = t,t =x,x £ t,x E x}, and x ^Fv{t). 

3. ^(p>-RST®if(P>-RST®- 

4. (pVy y RST Xifcp ^R ST X and y y RST X. 

5. (p A Y >~rst XUYifcp >-rst X, y >-rst Y, and Y n Fv(cp) = 0. 

6. 3ycp >~ RST X - {y} ify eXandcp >~ RST X. 

We denote by RST (Rudimentary Set Theory) the set theory induced by I^rst (within the framework 
described above). Note that RST without the G —induction schema can be shown to be equivalent to 
Gandy's basic set theory [ 10], and to the system called BSTq in lfl5l ). 

The following theorem about RST can easily be proved: 

Theorem 1 Given an expression E and a finite set X of variables, it is decidable in polynomial time 
whether E is a valid term of RST, whether it is a valid formula of RST, and if the latter holds, whether 
E ^RST X. 

Note. The last theorem is of a crucial importance from implementability point of view, and it obtains 
also for all the extensions of RST discussed (explicitly or implicitly) below. In order to ensure it, we did 
not include in the definition of safety relations the natural condition that if (p >~ X and y/ is (logically) 
equivalent to (p (where Fv((p) = Fv(\j/)) then also i// >- X. However, we obviously do have that if 
<P >~rst {*}, and \-rst <P <->• V> th en ^~rst x £ {x \ q>} o y/", and so h^sr 3Z\/x.x G Z <-> \f/. Again this is 
true for any system in our framework. 
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4.1 The Power of RST 

In the language of RST we can introduce as abbreviations most of the standard notations for sets used 
in mathematics. Again, all these abbreviations should be used in a purely static way: no justifying 
propositions and proofs are needed. Here are some examples: 

=Df {x j x G x}. 

{t\,.. . ,t n } =Df {x | x = t\ V . . . Vx = t n } (where x is new). 

{t,s)= Df {{t},{t,s}}. 

(t\,...,t n ) is if n = 0, t\ if n= 1, ((ti,..., t n -i),t n ) if n > 2. 

{x G t | <p} =0/ {x | x G t A <p}, provided (p ^ RST 0. (where x g" Fv(f )). 

{? | x G s} =d/ {y | 3x.x £iA}> = ;} (where y is new, and x G" Fv(s)). 

s xt =Df {x j 3a3b.a £ s Ab Gt Ax = (a,b)} (where x,a and b are new). 

{(xi,...,x„) | (p}= Df { z I 3xi...3x„.<pAz = (xi,...,x„)}, if (py R sr {xi,...,x n } and z g"Fv(<p). 

* H f =d/ {x | x G s A x G ?} (where x is new). 

sUt =£>f {x [ x G s V x G ?} (where x is new). 

s — t =Df {x | x G s A x g" f } (where x is new). 

S(x) =D/XU {x} 

\Jt =Df {x | 3y.y G t Ax G y} (where x and y are new). 

fV =»/ i x I =Wy G t Ax G y) A Vy(y G ? — > x G y)} (where x,y are new). 

lx(p =of C\{ x I <?>} (provided <p >- {x}). 

Pi(z) = lx.3v3y(v GzAxG v Ay G vAz = (x,y)) 

^2(2) = ly.3v3x(v GzAxG vAy G vAz= (x,y)) 

Ax G s.f =d/ {(x,0 I x G s} (where x ^Fv(j)) 

f(x) =Dfly-3z3v(z€fAvEzAye vAz= (x,y)) 

Dom(f) =Df {x I 3z3v3y(zG/AvGzAy G vAxG vAy = /(x)} 

Rn g{f) =Df {y I 3z3v3x(z G/AvGzAy G v Ax G v Ay = f(x)} 

f/s =Df {( x ,f{x)) \ x G s} (where x is new). 

Notes 

1 . It is straightforward to check that in all these abbreviations the right hand side is a valid term of RST 
(provided that the terms/formulas occurring in it are valid terms/well-formed formulas of RST). 
We explain s xt by way of example: since a and b are new, d£s >-rst {«}, and b G t ^rst {b}- 
Since b g" Fv(a G s), this implies that a G s Ab G t >-rst {a,b}. Similarly, a £ s Ab £ t Ax = 
(a,b) >-rst {a,b,x}. It follows that 3a3b.a G s Ab G t Ax = (a,b) )^rst {x}. Hence our term for 
s xt (which is the most natural one) is a valid term of RST. 
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2. It can easily be seen that according to these definitions, f] = 0, and so ixcp denotes if there is no 
set which satisfies cp, while it denotes the intersection of all the sets which satisfy q> otherwise. In 
particular: if there is exactly one set which satisfies <p, and (p >~ {x}, then ixcp denotes this unique 
set (this fact has already been used above). It follows that if (p(y\, . ■ ■ ,y n ,x) implicitly defines (in 
some theory extending the basic theory of our framework) a function fq, such that for all y\ , . . . ,y n , 
foiyii ■ ■ ■ ,y n ) is the unique x such that (p{y\ , . . . ,y n ,x), and if (p >- {x}, then there is a term in the 
language which explicitly denotes fq>; no extension of the language is needed for that. 

3. It is easy to see that the usual reduction rules of the typed A -calculus follow from the corresponding 
reduction rules described in Section [33] In particular: \~rst a € s — > {hx S s.t)(a) = t{a/x}. 

Exact characterizations of the operations that are explicitly definable in RST, and of the strength of 
RST, are given in the following theorems and corollary 

Theorem 2 

1. IfF is an n-ary rudimentary functions then there exists a formula (p s. t: 

(a) Fv(cp) = {y,xi,...,x„} 

(b) (p >-rst M 

(c) F(xi,...,x n ) = {y | <p}. 

2. If (p is a formula such that: 

(a) Fv((p) = {y u ... ,y k ,xi ,... ,x n } 

(b) (py RST {yu---,yk} 

then there exists a rudimentary function F such that: 

F(xi,...,Xn) = {(yi,...,y k ) | (p} 

Corollary 1 If Fv{(p) = {x\, . . . ,x n }, and <p ^^57- then (p defines a rudimentary predicate P. Con- 
versely, ifP is rudimentary then there is a formula (p such that (p ^rst and (p defines P. 

4.2 Generalized Absoluteness 

For simplicity of presentation, we assume the cumulative universe V of ZF, and formulate our definitions 
accordingly. It is easy to see that V is a model of RST (with the obvious interpretations of RST's terms). 

Definition 2 Let ^M he a transitive model of RST . Define the relativization to ^M of the terms and 
formulas of RST recursively as follows: 

• tj( = tiftisa variable or a constant. 

• {* I <p}.^ = {x\x<^Jt N (pjz). 

• (t = s)jz = {tjz = sj() (t G s)jj! = (tjg € Sjk). 

• {3x<p)jz = 3x(x e^A <pjz). 

Definition 3 Let T be an extension of RST such that V \=T. 



2 The class of rudimentary set functions was introduced independently by Gandy ( 1101 ) and Jensen ([12]). See also |9|, Sect. 
IV. 1. 
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1. Let t be a term, and let Fv(t) = {y\ ,... ,y n }. We say that t is T-absolute if the following is true (in 
V)for every transitive model ^i ofT: 

Vyi . ..\/y n .yi G ^M A . . . Ay n G ~# — > tjg = t 

2. Let (p be a formula, and let Fv((p) = {yi, . . . ,y n ,x\, . . . ,Xk}. We say that (p is T-absolute for 
{xi ,...,xj c }if{(xi,...,Xj c ) \(p} is a set for all values of the parameters yi, . . . ,y„, and the following 
is true (in V)for every transitive model j#£ ofT: 

Vyi ...\ty n .y\ G JZ l\... Ay„ G J{ ^ [<p 4+ (x\ G J<£ l\... Ax k G J% f\<pje)] 

Thus a term is T-absolute if it has the same interpretation in all transitive models of T which contains 
the values of its parameters, while a formula is T-absolute for {x\,. . . ,Xk} if it has the same extension 
(which should be a set) in all transitive models of T which contains the values of its other parameters. In 
particular: (p is T-absolute for iff it is absolute relative to T in the usual sense of set theory (see e.g. 
iflBI ). while cp is T-absolute for Fv(cp) iff it is domain-independent in the sense of database theory for 
transitive models of T. 

Theorem 3 

1. Any valid term t ofRST is RST -absolute. 

2. If (p )^rst X then (p is RST -absolute for X. 

5 Handling the Axioms of ZF and ZFC 

5.1 Subsets, replacement, and Powerset 

The definability of {t , s} and of (J t in the language of RST means that the axioms of pairing and union are 
provable in RST. We turn now to the question how to deal with the other comprehension axioms of ZF 
within the proposed framework. We start with the comprehension axioms that remain valid if we limit 
ourselves to hereditarily finite sets. It can be shown (||4]) that each of them can be captured (in a modular 
way) by adding to the definition of ^rst a certain syntactic condition. Here are those conditions: 

Separation: cp >- for every formula (p. 

Replacement: 3yq> A Vy(<p — > y/) >- X if y y X, and X n Fv((p) = 0. 

Powerset: Vy(y G x -t <p) y (X - {y}) U {x} if (p y X, y G X, and x £ Fv(<p). 

Another (and perhaps simpler) method to handle the powerset axiom is to enrich first the language 
with a new binary relation C. Then add to the definition of the safety relation the condition: 
x Qt y {x} if x $l Fv(t). Finally, add the usual definition of C in terms of G as an extra axiom: 
Vx\/y(x C)if> Vz(z G x — > z G y)). Alternatively, since C is now taken as primitive, it might be 
more natural to use it as such in our axioms. This means that instead of adding the above axiom, 
it might be preferable to replace the single extensionality axiom of BZF with the following three: 
(Exl)x GyAyCx->x=y, (Ex2)z GxAxC^-^zGy, and (Ex3) x CyV3z(z GxAz ^y). 

Note. If any of the conditions introduced in this subsection is used then the counterpart of Theorem [3] 
is not valid for the resulting system. Hence these conditions are not coherent with our initial intuitions 
(Thus from the perspective of our framework, the condition that corresponds to the separation schema 
means that from the point of view of ZF, every formula defines a "decidable" relation on the universe V 
of sets). As a compensation, we have the following remarkable property of the condition that corresponds 
to replacement (see A3): 
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Theorem 4 Let 3? be a set theory in our framework such that the corresponding safety relation V-g- 
satisfies the condition that corresponds to replacement. Then for any formula (p of 8T such thatFv((p) = 
{yi, . . . ,y n ,x}), there exists a term ty of .^ such that Fv(tm) = {yi,- ■ ■ ,yn}, and 

\~sr Vyi, .. . ,y»3\x(p -> Vyi, .. . ,y „{<?[* *-+ t 9 \) 

5.2 The Axiom of Infinity 

Next we turn to the axiom of Infinity — the only comprehension axiom that necessarily takes us out of 
the realm of finite sets. As long as we stick to first-order languages, it seems impossible to incorporate 
it into our systems by just imposing new simple syntactic conditions on the safety relation. Instead, the 
best way to capture it is to add to the basic signature a new constant HF (interpreted as the collection 
Jff 1 ^ of hereditarily finite sets) together with the following counterparts of Peano 's axioms: 

1. <b€HF 

2. \/xMy.x E HF Ay € HF -)• xU {y} € HF 

3. <p(0) A (VWy.<p(X) A cp(y) -> cp(xU {y}) ->Vxe HF.cp(x) 

Definition 4 RSTco is the theory which is obtained from RST by the addition of the constant HF and 
the above counterparts of Peano's axioms. 

On the other hand, if a language with TC is used, then we get the infinity axiom for free, since both 
J$?^ and the set CO of the finite ordinals are definable in this extended language by valid terms (see [6]). 
Thus the one that defines CO is CO = {y \ 3x.x = A (TC Xjy y = {z[z = xVzG x})(x,y)}. 

Definition 5 Let >-pzf be the minimal safety relation in a language with TC (note that the only difference 
between ypzF and >~rst is the extra clause for TC). We denote by PZF (predicative set theory) the set 
theory induced by >pzf within our framework. 

Note. An important property of RSTco and PZF is that Theorem [3] does remain valid if instead of RST 
we consider either of them. Hence these systems are coherent with our initial motivations and intuitions. 

5.3 The Axiom of Choice 

The full set theory ZFC has one more axiom, which does not fit into the formal framework described 
above: AC (the axiom of choice). It seems that the most natural way to incorporate it into our framework 
is by further extending the set of terms, using Hubert's e symbol, together with its usual characterizing 
axiom (which is equivalent to the axiom of global choice): 3xcp — s> cp[x i-> excp]. It should be noted that 
this move is not in line with our stated goal of employing only standard notations used in textbooks, but 
some price should be paid for including the axiom of choice in a system. 

6 Structures and Computations 

Let £? be a theory formulated within the classical part of our framework. From the Platonist point of 
view its set of closed terms induces some subset 5?{S) of the universe V of sets. The identity of 5f{3F) 
depends only on the language of 3T and on the interpretations of the symbols its signature has in addition 
to G,=, and C (if such symbols exist). It does not depend on its axioms. In addition, for any transitive 
model ^# of 3F, J? (J?) determines some subset ^#(^) of ^# (which might not be an element of ^#). 
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Now a theory 3? is computationally interesting if the set 5? (3~) it induces is a "universe" in the sense 
that it is a transitive model of 3*. According to our guiding ideas, such a theory 3? and its model .y{3?) 
have a special significance from a computational point of view if the identity of the latter is absolute in 
the sense that ^£(3?) = y{3 r ) for any transitive model ^ of 3? (implying that y{3?) is actually a 
minimal transitive model of 3?). From results in @ it follows that at least the following theories have 
both properties: 

RST: Its minimal model y{RST) is identical to 3^3*, which is J\ in Jensen's hierarchy ( lPT2l l9l). and 
La in Godel hierarchy ( lfTTl l9l') of constructible sets. 

RSTco: Its minimal model y(RSTco) is J2 in Jensen's hierarchy. 

PZF^j^: Its minimal model is J a a = L a ca. 
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